Netify Agent

Netify Agent - netifyd

The open source Netify Agent - netifyd - does one thing and one thing very well: network analysis using deep packet inspection. It does not firewall traffic and it does not shape traffic - that job is left to other tools (e.g. the Netify Firewall Agent) that can be integrated with the agent.

The source code is ready to use on various popular Linux distributions, FreeBSD, OpenWRT, Raspberry Pi and more. If you're a technical guy, you can find all the source code on Netify's GitLab project page.

Features

Netify agent features include:

Open source
Small footprint
Protocol detection
Application detection
Hostname metadata

Cipher detection
Firewall and QoS hooks
User agent extraction
Network and bandwidth information

The protocol detection is handled by a modified version of the nDPI library. Netify adds handling for run-time application definitions, JSON stream data, packet dynamics, and more.

Features - In-Depth

How It Works

The netifyd DPI agent captures network traffic across internal (LAN) and - optionally - external (WAN) interfaces. This is a passive capture implementation which means that netifyd can neither alter nor manipulate the packets - it only 'sees' up to a certain number of bytes per packet. These captured packets are then examined and processed by the Netify DPI protocol detection engine.

Flow Data via JSON

Firewalls, QoS engines, and third party applications can connect to netifyd to interact with the network flow data. Netifyd's Agent Socket Interface (TCP/IP and UNIX sockets) provides near real-time agent status and flow/DPI detection data via JSON encoded payloads.

Let's take a look at some sample data (see JSON data below). This particular flow comes from a mobile phone that started up the WhatsApp app. You can see the usual network data in the JSON structure: IP version MAC addresses, IPs, ports, network interfaces and timestamps. In addition, you can see the additional DPI data:

Application: WhatsApp

The detected_application_name shows that it was a flow generated by WhatsApp. In this particular case, this detection was made using the TLS/SSL SNI hostname and certificate common name. Other heuristics are also used to detect applications.

Protocol: HTTPS

The DPI engine detected the HTTPS protocol. This is more than just mapping port 443 to HTTPS, the engine did a full deep packet inspection. In fact, Netify will detect HTTPS over any port.

DPI: HTTPS Details

Detecting the protocol is just the start - the netifyd engine also breaks down the details of the SSL/TLS connection.

The SNI hostname (client_sni: static.whatsapp.net) and certificate common name (server_cn: *.whatsapp.net) are familiar parts of a conversation to network admins. Netify also provides:

the TLS version (0x0303 is TLS 1.2)
the encryption ciphers
the JA3/TLS fingerprints

Other protocols will have different metadata attached. For example, BitTorrent traffic also includes the file hash.

{
  "type": "flow",
  "interface": "ens34",
  "internal": true,
  "established": false,
  "flow": {
    "digest": "09c9e2b73d68fef245c09141cb63dad8d9001a6c",
    "ip_nat": false,
    "ip_version": 4,
    "ip_protocol": 6,
    "vlan_id": 0,
    "other_type": "remote",
    "local_origin": true,
    "other_mac": "00:90:fb:29:ca:ba",
    "local_mac": "a0:c9:a0:e5:2c:eb",
    "other_ip": "31.13.80.53",
    "local_ip": "192.168.4.105",
    "other_port": 443,
    "local_port": 38972,
    "detected_protocol": 196,
    "detected_protocol_name": "HTTPS",
    "detected_application": 544,
    "detected_application_name": "142.netify.whatsapp",
    "detection_guessed": 0,
    "ssl": {
      "version": "0x0303",
      "cipher_suite": "0xc02b",
      "client_sni": "static.whatsapp.net",
      "server_cn": "*.whatsapp.net",
      "client_ja3": "d8c87b9bfde38897979e41242626c2f3",
      "server_ja3": "6e15a5bf660856fa03186247ca41d059"
    },
    "first_seen_at": 1574786068665,
    "first_update_at": 1574786068665,
    "last_seen_at": 1574786068715
  }
}

Netify Integrations

With the Netify JSON network stream, you can develop and create your own integrations: open source, proprietary, in-house... it's up to you. The netifyd engine is open source and we welcome changes, tweaks, and contributions. We have also built two integrations to help get you started:

The Netify Firewall Agent is a Python-based engine that hooks into firewalls and QoS systems.
The Netify Console is an ncurses-based application for ClearOS that shows flow data via the command line.

Please feel free to contact us to discuss integrating netifyd into your product!